IPS Rule to detect and block DNS Recursion

Forum|Forum|10 years ago
November 10, 2015
1 reply
4846 views

Hi,

Thought I would share this with the community. I ended up writing a IPS rule to detect others trying to use our Windows DNS Servers as open resolvers and causing a DDoS against others DNS servers. The rule I wrote detects more than 5 recursive queries per minute and then quarantines the src IP address for a period of time. Hopefully someone else might also find this useful, or be able to adapt it further.

Rather than repost everything again, the link to the article is here http://cwispy.com/ips-rule-to-block-dns-recursion/

ede_pfau

SuperUser

hi,

thanks for posting your custom IPS rule, sadly there are not many published on the forums.

What bites me it that if you have a FGT in front of your Windows DNS, why don't you control access (or block it altogether) from WAN to it via the policy? I guess it still is an open resolver...

crispyAuthor

New Member

Hi,

We can not deny access to the servers entirely as they are authorative servers for some domain names. What we need to do is implement a couple of resolvers for the Windows network and then turn off recursion on the authoritative servers which will fix the issue. But until then, this solution has been working very well.

crispy

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded